Secret regeneration in a storage system

ABSTRACT

A processor-based method for secret sharing in a computing system is provided. The method includes encrypting shares of a new secret, using a previous secret and distributing unencrypted shares of the new secret and the encrypted shares of the new secret, to members of the computing system. The method includes decrypting at least a subset of the encrypted shares of the new secret, using the previous secret and regenerating the new secret from at least a subset of a combination of the unencrypted shares of the new secret and the decrypted shares of the new secret.

BACKGROUND

Secret sharing splits a secret into shares (which could be termed partsor pieces of the secret), and was invented by Adi Shamir and GeorgeBlakley, independently. The secret can be regenerated, using asufficient subset (i.e., a specific threshold minimum number of sharesor up to and including all) of the shares. Depending on the scheme usedfor secret sharing, a mathematical operation or algorithm is applied toa sufficient number (specific to the scheme) of the shares, parts orpieces of the secret to recover the secret. Secrets can be used incomputing, communication and storage systems for encrypting anddecrypting data or the secrets can act as passwords, keys for locks, orfeatures for other security functions. For example, a secret (and eachof the shares, parts or pieces of the secret) can be a binary number. Ina distributed system, sending shares of a secret to different members ofthe system protects against theft of or from, or unauthorized access toany one member (or even a few members) of the system, which would atmost result in theft of a share or a few shares, but not an entire keyor enough shares to regenerate a key. Periodic generation of a new keyis desirable from the standpoint of providing additional protection.However, it may not be possible to write a new secret to all of themembers of a distributed system, because one or more members might beunavailable at the time the shares are written. If this happens, and thesystem fails, it is possible that a different set of system members willbe available upon reboot of the system, in which case the new secretmight not be recoverable, as the required quorum of shares forregenerating the secret might not be available. A distributed systemfacing such a condition might start again and re-split a secret, sendingshares to available system members, whereupon the above situation couldrecur many times or indefinitely.

It is within this context that the embodiments arise.

SUMMARY

In some embodiments, a processor-based method for secret sharing in acomputing system is provided. The method includes encrypting shares of anew secret, using a previous secret and distributing unencrypted sharesof the new secret and the encrypted shares of the new secret, to membersof the computing system. The method includes decrypting at least asubset of the encrypted shares of the new secret, using the previoussecret and regenerating the new secret from at least a subset of acombination of the unencrypted shares of the new secret and thedecrypted shares of the new secret.

In some embodiments, a tangible, non-transitory, computer-readable mediahaving instructions thereupon which, when executed by a processor, causethe processor to perform a method. The method includes encrypting, witha previous secret, shares of a new secret and distributing encryptedshares and unencrypted shares of the new secret. The method includesdecrypting, with the previous secret, available encrypted shares of thenew secret and reproducing the new secret from at least a subset ofavailable unencrypted shares of the new secret and the decrypted sharesof the new secret.

In some embodiments, a computing system with a shared secret isprovided. The computing system includes a secret generator, configuredto generate and regenerate secrets, a share splitter, configured tosplit a secret into a plurality of shares, an encryption/decryptionunit, configured to encrypt and decrypt, and one or more processors,configured to perform actions. The actions include encrypting shares ofa second secret, using a first secret and the encryption/decryption unitand sending encrypted shares and unencrypted shares of the second secretto members of the computing system. The actions include decrypting atleast a subset of the encrypted shares of the second secret, using theencryption/decryption unit and the first secret and regenerating thesecond secret, using the secret generator and unencrypted shares anddecrypted shares of the second secret.

Other aspects and advantages of the embodiments will become apparentfrom the following detailed description taken in conjunction with theaccompanying drawings which illustrate, by way of example, theprinciples of the described embodiments.

BRIEF DESCRIPTION OF THE DRAWINGS

The described embodiments and the advantages thereof may best beunderstood by reference to the following description taken inconjunction with the accompanying drawings. These drawings in no waylimit any changes in form and detail that may be made to the describedembodiments by one skilled in the art without departing from the spiritand scope of the described embodiments.

FIG. 1 is a block diagram of a storage device with facilities forsharing and resharing a split secret in accordance with someembodiments.

FIG. 2 is a system diagram with multiple storage devices, generating asecret “A” and shares of the secret in accordance with some embodiments.

FIG. 3 is a system diagram with the storage devices generating a secret“B” and encrypting some of the shares of “B” with “A” in accordance withsome embodiments.

FIG. 4 is a system diagram with the storage devices regenerating thesecret “A”, decrypting encrypted shares of “B” and regenerating thesecret “B” in accordance with some embodiments.

FIG. 5 is a system diagram with a storage device decrypting a key usingone secret, and re-encrypting the key with another secret in accordancewith some embodiments.

FIG. 6 is a flow diagram of a method for secret sharing, which can bepracticed by one or more processors of a computing, communication orstorage system in accordance with some embodiments.

FIG. 7 is an illustration showing an exemplary computing device whichmay implement the embodiments described herein.

DETAILED DESCRIPTION

A system and related method for resharing of a split secret are hereindescribed. Although shown in embodiments of storage devices in a storagesystem, the mechanisms and techniques for resharing of a split secretare applicable to computing, communication or storage systems that use asecret for various functions or purposes, and can be used in systemsthat are distributed, centralized, monolithic, localized, networked,cloud-based, etc. FIGS. 1-5 show storage devices using a secret toencrypt and decrypt, or otherwise lock and unlock, a key that encryptsand decrypts data in the storage system. A new secret is generated andsplit, and some of the new shares are encrypted, using a previoussecret. Unencrypted and encrypted shares are distributed to devices ofthe system. It should be noted that a share(s) may be referred to as apart(s) of a secret or piece(s) of a secret in some embodiments. Tounlock (e.g., decrypt) the locked (or encrypted) key, the system gatherstogether available unencrypted and encrypted shares, decrypts theencrypted shares using the previous (i.e., old) secret, and uses asufficient subset of the combination of unencrypted shares and decryptedformerly encrypted shares to regenerate the new secret. Using the newsecret, the system unlocks or decrypts the locked or encrypted key,which can then be used for decrypting data in the storage system, orencrypting new data to be stored in the storage system, etc. FIG. 6presents a method for secret sharing, which is used by the presentembodiments and can also be used by other systems for other mechanismsand techniques applying secrets. The mechanism can be applied in aniterative manner, to replace an older secret with a newer secret key,e.g., on a regular or irregular basis, or on demand.

FIG. 1 is a block diagram of a storage device 102 with facilities forsharing and resharing a split secret. In present embodiments, thestorage device 102 could be or include a storage node, a storage unit,or a storage drive, and in further embodiments could be a compute onlynode in a storage cluster or storage system, or other device in anothersystem as the embodiments are not limited to storage systems and may beintegrated with any computing device. The various mechanisms shown inFIG. 1 and elsewhere in the application could be implemented insoftware, hardware, firmware or combinations thereof and included in thestorage device 102, with each storage device 102 having each of thesemechanisms, or they could be separate from and coupled to the storagedevice 102, or shared with other storage devices 102, or variouscombinations thereof. One or more processors 104 could execute softwareand operate various mechanisms within the storage device 102. Thestorage device 102 has memory 106, which includes, in some embodiments,a header section 116, a metadata 118 section, and a data storage 120. Asecret generator 108 can generate secrets, and regenerate secrets fromshares. As noted above, a secret can be split into shares and each sharemay be referred to as a part of a secret or a piece of a secret in someembodiments. A share splitter 110 splits a secret into shares. Secrets,and shares, could be for example binary, octal, decimal or hexadecimalnumbers, alphanumeric strings, or other combinations of bits or symbols.An encryption/decryption unit 112 encrypts and decrypts whatever needsencrypting or decrypting, such as in present embodiments data, a key, orshares of a secret. A communication unit 114 handles communicationbetween storage devices 102 in the storage system, or to other devicesin or external to the system, and could include a network port or otherwired or wireless communication port. Multiple storage devices 102 areconnected, e.g., via a network or bus, to form a storage system, in someembodiments.

FIG. 2 is a system diagram with multiple storage devices 102, generatinga secret “A” 210 and shares of the secret. A secret generator 108, whichcould belong to one of the storage devices 102 or be a shared resource,generates secret “A” 210, for example as a random number from a seed 224for an initial operation, or in an ongoing operation from a long-agoseed 224 in some embodiments. Each new secret could be independent ofprevious secrets, or could be based on one or more of them, e.g., as aseed 224, in various embodiments. There are many techniques forgenerating secrets and shares of secrets, and present embodiments arenot dependent on which method or mechanism is used for generatingsecrets, nor should the following examples be seen as limiting as otherknown techniques for generating secrets and shares of secrets may beintegrated with the embodiments. A key encrypting key container could beused as a secret, as could a key encrypting key plus a version number,or a data encryption key. Shares of a secret could be generated usinglinear interpolation in some embodiments. In other examples, shares of asecret could be generated using Reed Solomon coding, throwing awayoriginal data and keeping only the erasure coding, or shares of a secretcan be generated using exclusive or (XOR) operations in someembodiments. The share splitter 110 splits the secret “A” into shares“A0” 212, “A1” 214, “A2” 216, “A3” 218, “A4” 220 and “A5” 222, each ofwhich is sent to a storage device 102. As noted above, each of theshares 212-222 may be referred to as a part of a secret or piece of asecret. The number of shares and naming convention for shares depictedis by way of example only, and should not be considered limiting. Someembodiments of the system distribute more than one share to each storagedevice 102. When the system is satisfied that the shares of secret “A”210 are all successfully distributed to storage devices 102, the systemcan use the secret “A” 210 to encrypt a key 204.

The (unencrypted) key 204 is used to encrypt data 202. For example, astorage device 102 could input the data 202 and the key 204 into anencryption/decryption unit 112, which then outputs data encrypted by thekey 206 (i.e., data 202, as encrypted by the key 204). The storagedevice 102 can then store the encrypted data 206. To lock the key 204,the storage device 102 inputs the key 204 and the secret “A” 210 intothe same or another encryption/decryption unit 112, which then outputsthe key encrypted by the secret “A” 208 in some embodiments. As a resultof these operations, the storage device now stores encrypted data andhas a locked or encrypted key, and shares of the secret are distributedto storage devices 102 throughout the system. The other storage devices102 can perform similar operations with the data those storage devicesstore. Thus, the system now has encrypted data, one or more locked keys204 (which could be the same key 204 or differing keys 204 across thesystem), and a shared secret. Referring back to FIG. 1, each storagedevice 102 could store an encrypted key (e.g., a key encrypted by secret“A” 208), and one or more shares, in the header section 116 of memory106, and store encrypted data in the data storage 120 in someembodiments.

FIG. 3 is a system diagram with the storage devices 102 generating asecret “B” 302 and encrypting some of the shares of “B” with “A”. Thesystem is able to decrypt data, and encrypt data, after unlocking ordecrypting the key 204 (see FIG. 2). To recover the key 204, a storagedevice 102 gathers together as many shares of “A” 304 as are available(considering that some other storage devices 102 may be unresponsive,off-line, failed, or otherwise temporarily or permanently unavailable).If all of the shares of “A” 304, or at least a minimum threshold numberof the shares of “A” 304 to meet the sufficient subset of sharesrequirement, are available, the available shares are input into thesecret generator 108 which regenerates the secret “A” 210. The storagedevice 102 inputs the secret “A” 210 and the key encrypted by secret “A”208 into the same or another encryption/decryption unit 112, whichoutputs the decrypted key 310 (i.e., the same key 204 that wasoriginally encrypted by the secret “A” 210). The decrypted key 310 isinserted into the same or another encryption/decryption unit 112 alongwith the data encrypted by key 306 (e.g., the same or other data 202that was encrypted using the key 204 in FIG. 2), and theencryption/decryption unit 112 outputs decrypted data 308, for use orstorage by the storage device 102 or elsewhere within or external to thesystem. The storage device 102 could also use the decrypted key 310 toencrypt further data, using the process shown in FIG. 2. The system nowhas a mechanism to unlock or decrypt an encrypted or locked key, and usethe now-decrypted or unlocked key to decrypt or encrypt data.

Still referring to FIG. 3, to transition to a new secret, the secretgenerator 108 generates the secret “B” 302. The share splitter 110splits the new secret “B” 302 into shares “B0” 312, “B1” 314, “B2” 316,“B3” 318, “B4” 320, and “B5” 322. These new shares are fed into theencryption/decryption unit 112 along with the previous or old secret “A”210, resulting in encrypted shares “B0” 324 encrypted by “A”, encryptedshares “B 1” 326 encrypted by “A”, encrypted shares “B2” 328 encryptedby “A”, encrypted shares “B3” 330 encrypted by “A”, encrypted shares“B4” 332 encrypted by “A”, and encrypted shares “B5” 334 encrypted by“A”. The new shares (from new secret “B” 302) and encrypted new sharesare sent to the storage devices 102 in various combinations, which couldbe specific to system implementations. In some embodiments, each storagedevice 102 receives at least one unencrypted share based on the newsecret “B” 302 and at least one encrypted but different share also basedon the new secret “B” 302, e.g., a different share based on secret “B”302 and encrypted by the old or previous secret “A” 210. In the exampleshown, one storage device 102 receives the share “B0” 312 and “B 1” 314encrypted by “A” 326, and the other storage devices 102 each receive acorresponding share and differing encrypted share. If any one or twostorage devices 102 are unavailable at any given time, sufficient sharesand encrypted shares are available to make a sufficient subset of sharesfor recovery of the secret, as will be shown below with reference toFIG. 4.

It should be appreciated that various combinations of sets and subsetsof encrypted and unencrypted shares are possible, and it is not requiredthat the encrypted shares be encrypted from the unencrypted shares. Forexample, the system could generate a set of shares (e.g., from the sharesplitter 110), and encrypt some of the shares while leaving others ofthe shares unencrypted. Alternatively, the system could generate a setof shares, keep a copy of these unencrypted shares, and encrypt the sameshares. In some embodiments, a combination of the above could beapplied, e.g., with some shares distributed in both encrypted andunencrypted form, and other shares distributed only in encrypted form oronly in unencrypted form. The total number of shares and/or thethreshold number of shares required for regeneration of a secret couldbe set as a system dependent or situation dependent number. Two examplesare provided below for illustrative purposes.

In a first example, there are seven storage devices 102, a minimum offive shares are needed to reconstruct a secret, and some of the devicesare unavailable, as shown in Table 1.

TABLE 1 storage devices 0 1 2 3 4 5 6 shares of A0 A1 A2 A3 A4 A5 A6secret “A” unencrypted B0 B1 B2 B3 B4 shares of secret “B” encryptedA(B4, A(B5, A(B0, A(B0, A(B1, shares of B5) B6) B6) B1) B2) secret “B”storage device yes yes yes yes yes no no available for writing secretshares storage device yes yes yes no no yes yes available for reading,reconstructing secretThe storage devices are numbered from zero through six (see first or toprow of table 1). Each of the storage devices has a share of the secret“A” (see second row of table 1). In this example the system has starteddistributing shares of the secret “B”, but encountered some storagedevices that are unavailable (see fifth or second from the bottom row oftable 2). The first five shares of the secret “B” are successfullydelivered to the first five storage devices (see third row of table 1).The first five storage devices have also received encrypted shares ofthe secret “B” (see fourth row of table 1). So, the first storage device102 (numbered “0”) has two encrypted shares of secret “B”, namely the B4share encrypted by secret “A” and the B5 share encrypted by secret “A”(shown in the table as A(B4, B5)). The next four storage devices 102each have two more encrypted shares of secret “B”. Distribution of theshares of secret “B”, in unencrypted and encrypted form, is “successful”because all but two devices have received shares, and may be recovereddirectly by reading shares from each of the five devices 0-4. Secret “A”can be recovered from the five storage devices that are available, byobtaining the A0, A1, A2, A3 and A4 shares of “A” from the availablestorage devices 102 and regenerating the secret “A”. In someembodiments, if a different set of storage devices is available, asshown in the bottom row of table 2, because the two storage devices thatwere off-line during the writing of the secret shares become online andtwo other storage devices go off-line, the secret “A” could beregenerated from the A0, A1, A2, A5, A6 shares. In this example, onlythe first three unencrypted shares of secret “B”, namely B0, B1 and B2,are available. Then, using the now recovered secret “A”, the system candecrypt two more shares of the secret “B” from the first storage device102. That is, the system obtains the B4 share encrypted by secret “A”and the B5 share encrypted by secret “A”, and decrypts each of theseusing the secret “A”. Now, from the five recovered shares of secret “B”,namely B0, B1, B2, B4 and B5, the system regenerates the secret “B”. Itshould be appreciated that this example shows how a secret can bewritten and recovered, even though one or more storage devices areoff-line during the writing of the secret, and a different one or morestorage devices are off-line during the reading and recovery of thesecret.

In a second example, there are again seven storage devices, a minimum offive shares are needed to reconstruct a secret, and some of the devicesare unavailable during writing or reading, as shown in Table 2.

TABLE 2 storage devices 0 1 2 3 4 5 6 shares of A0 A1 A2 A3 A4 A5 A6secret “A” unencrypted B0 B1 B2 B5 B6 shares of secret “B” encryptedA(B7) A(B8) A(B9) A(B12) A(B13) shares of secret “B” storage device yesyes yes no no yes yes available for writing secret shares storage deviceyes yes yes yes yes no no available for reading, reconstructing secretAs in the previous example, the storage devices are numbered from zerothrough six (see first or top row of table 2). Each of the storagedevices has a share of the secret “A” (see second row of table 2). Thesystem has begun distributing shares of the secret “B”, but some of thestorage devices are unresponsive (see fifth row of table 2). The firstthree shares of the secret “B” are successfully delivered to the firstthree storage devices, and the last two shares of the secret “B” aresuccessfully delivered to the last two storage devices (see third row oftable 2). The first three and last two storage devices have also eachreceived one encrypted share of the secret “B” (see fourth row of table2). So, the first storage device (numbered “0”) has one encrypted shareof secret “B”, namely the B7 share encrypted by secret “A” (shown intable 2 as A(B7)). The next two storage devices each have one moreencrypted share of secret “B”. Distribution of the shares of secret “B”,in unencrypted and encrypted form, is incomplete, since two devices havenot received their shares, but the secret “B” is still recoverable evenif there were a system crash or other failure, or different storagedevices were unavailable for reading. Secret “A” can be recovered if thesame five storage devices are available for reading as were availablefor writing the secret shares, by obtaining the A0, A1, A2, A5 and A6shares of “A” from the available storage devices (in the sixth or lastrow of table 2) and regenerating the secret “A”. In some embodiments thesystem attempts to recover the secret “B”, but storage devices numberfive and six are unavailable (see sixth or last row of table 2). In thisembodiment, the system could still recover the secret “A” as describedabove regarding table 1. It should be appreciated that the embodimentsenable multiple possibilities to recover secret “B”. The system couldgather five unencrypted shares of the secret “B”, namely B0, B1, B2, B5and B6, and regenerate the secret “B” from them, if the same storagedevices are available for reading as were available for writing thesecret shares. The system could use the recently recovered secret “A” todecrypt one or more of the available encrypted shares of secret “B”,then combine with some of the unencrypted shares of the secret “B” untila sufficient number of shares of secret “B” is obtained to regeneratethe secret “B”. This could be accomplished with unencrypted shares B0,B2, B6 and decrypted shares B8 and B9, or unencrypted shares B1 and B5and decrypted shares B7, B8 and B9, or other combination of sufficientnumber of shares of secret “B” gathered from available unencrypted anddecrypted shares. If storage devices numbered five and six were off-lineat the time of reconstructing the secret, as shown in the sixth orbottom row of table 2, the secret “B” could be reconstructed from theunencrypted shares B0, B1, B2 and decrypted shares B7 and B8 or B9, orsome other combination of five shares. By using a combination ofencrypted and unencrypted shares of a secret, distributed to storagedevices in various combinations, the system can recover a secret even incases where one or more storage devices are unavailable while theencrypted and unencrypted shares are being written to storage devices,and a different one or more storage devices are unavailable while thesystem reconstructs the secret. Various further scenarios of storagedevices being unavailable when secret shares are being written, and thesame or differing storage devices being unavailable when secret sharesare being read and a secret reconstructed, are readily devised inkeeping with the teachings disclosed herein.

FIG. 4 is a system diagram with the storage devices 102 regenerating thesecret “A” 210, decrypting encrypted shares of “B” and regenerating thesecret “B” 302. Keeping in mind that one or more of the storage devices102 may be unavailable or unresponsive at any given time, the systemgathers together shares of the secret “A” 210, for example by havingstorage devices 102 communicate with each other. The system also gatherstogether encrypted and unencrypted shares of the secret “B” 302. If thesystem is able to gather together a sufficient subset of shares of “A”402, i.e., anywhere from at least the threshold number of shares ofsecret “A” 210 needed to regenerate the secret “A” 210 up to andincluding all of the shares of “A”, these shares are inserted into thesecret generator 108, which regenerates the secret “A” 210. If notenough shares are available, the system can wait for a period of timeand retry gathering a sufficient number of shares in some embodiments.Once the secret “A” 210 is regenerated, the secret “A” 210 and theavailable “A” encrypted shares of “B” 404 (i.e., shares of the secret“B” 302 as encrypted by the secret “A” 210 in FIG. 3) are input into thesame or a differing encryption/decryption unit 112, which producesdecrypted shares of “B” 408. If the combination of the gatheredunencrypted shares of “B” 406 and the now decrypted shares of “B” 408forms a sufficient subset of shares of “B” 410 (i.e., anywhere from atleast the threshold number of shares of secret “B” 302 needed toregenerate the secret “B” 302 up to and including all of the shares of“B”), a sufficient number of these shares are input into the same or adiffering secret generator 108, which outputs the regenerated secret “B”302. If not enough shares are available, the system can wait for aperiod of time and retry gathering a sufficient number of shares in someembodiments.

FIG. 5 is a system diagram with a storage device 102 decrypting a keyusing one secret, and re-encrypting the key with another secret. In someembodiments, the system determines that all storage devices 102 havereceived their respective (unencrypted and/or encrypted) shares of thenew secret, before proceeding with re-encrypting a key 204 with a newsecret. This can be accomplished using polling, acknowledgment or othercommunication among storage devices 102 or other members of a system. Tore-encrypt the key 204, e.g., the key 204 which was used to encrypt data202 and which was encrypted with the secret “A” in FIG. 2, the storagedevice 102 obtains the key encrypted by secret “A” 208. The secret “A”210 and the key encrypted by secret “A” 208 are input into the same or adiffering encryption/decryption unit 112, which outputs the decryptedkey 310 (i.e., the same number, or combination of bits or symbols as theoriginal key 204). The decrypted key 310 and the secret “B” 302 areinput into the same or another encryption/decryption unit 112, whichoutputs the key encrypted by “B” 502. This procedure can be usediteratively, to reeencrypt a key with new secrets on an ongoing basis.Once new shares are stored and verified stored, previous versions (ofshares and/or encrypted keys) can be destroyed, making share rotationpossible and adding security.

With reference back to FIGS. 1-5, it is readily appreciated that presentembodiments of storage devices 102 in a storage system, or othercomputing, communication or storage systems, could apply the abovemechanisms and techniques iteratively. For example, after distributingshares of secret “B” 302 in both encrypted and unencrypted form,verifying that storage devices 102 have received respective shares, andre-encrypting the key 204 with the secret “B” 302, the system can repeatthese processes for a new secret “C”, using the secret “B” as theprevious or old secret. This process then repeats for the next newsecret “D”, using the secret “C” as the previous or old secret, and soon. Systems that use a secret for other mechanisms or purposes may omitor modify the data encrypting and/or key encrypting processes accordingto designs or circumstances in some embodiments. In some versions,off-site storage is used for some of the encrypted and/or unencryptedshares. In some embodiments, the system can use new shares to regeneratefurther new shares for members of the system that are missing shares(whether encrypted or unencrypted), and update those members. It shouldbe appreciated that the mechanism discussed above is faster and morereliable than updating all of the members of the system, and prevents anattack under which an attacker always keeps multiple members out of asystem to prevent resharing. In a further embodiment, a master key canunlock a system with fewer members than might otherwise be required.Some of the shares can be encrypted with a key, but the key is thenstored in or external to the system. By itself, the stored key cannotunlock a system member, however, the key can unlock the shares encryptedwith that key. The mechanisms and techniques described herein improvereliability, security and responsiveness of a secure system, and providea way to reliably advance to a new secret in the face of varyingavailability of various devices in the system while maintaining securityagainst theft or unauthorized access of portions of the system.

FIG. 6 is a flow diagram of a method for secret sharing, which can bepracticed by one or more processors of a computing, communication orstorage system. The method can be practiced on or by embodiments of thestorage device as described above or any other computing device. In anaction 602, shares are generated from a new secret. A subset of theshares is encrypted, using a previous secret, in an action 604.Unencrypted and encrypted shares are distributed, in an action 606. Theshares that are encrypted could be the same as, or different from, someor all of the unencrypted shares, in various embodiments of the method.

To later recover the new secret, the previous secret is regenerated inan action 608. The previous secret is regenerated from a sufficientsubset of shares of the previous secret. This would be a thresholdnumber of shares of the previous secret, or all of the shares of theprevious secret, or any number of shares in between these two numbers ofshares. The encrypted shares of the new secret are decrypted, using theprevious secret, in an action 610. In an action 612, the new secret isregenerated, from a sufficient subset of shares. This would be athreshold number of shares of the new secret, or all of the shares ofthe new secret, or any number of shares in between these two numbers ofshares, from the combination of the gathered available unencryptedshares and the decrypted shares from the gathered available encryptedshares.

It should be appreciated that the methods described herein may beperformed with a digital processing system, such as a conventional,general-purpose computer system. Special purpose computers, which aredesigned or programmed to perform only one function may be used in thealternative. FIG. 7 is an illustration showing an exemplary computingdevice which may implement the embodiments described herein. Thecomputing device of FIG. 7 may be used to perform embodiments of thefunctionality for resharing of a split secret in accordance with someembodiments. The computing device includes a central processing unit(CPU) 701, which is coupled through a bus 705 to a memory 703, and massstorage device 707. Mass storage device 707 represents a persistent datastorage device such as a floppy disc drive or a fixed disc drive, whichmay be local or remote in some embodiments. The mass storage device 707could implement a backup storage, in some embodiments. Memory 703 mayinclude read only memory, random access memory, etc. Applicationsresident on the computing device may be stored on or accessed via acomputer readable medium such as memory 703 or mass storage device 707in some embodiments. Applications may also be in the form of modulatedelectronic signals modulated accessed via a network modem or othernetwork interface of the computing device. It should be appreciated thatCPU 701 may be embodied in a general-purpose processor, a specialpurpose processor, or a specially programmed logic device in someembodiments.

Display 711 is in communication with CPU 701, memory 703, and massstorage device 707, through bus 705. Display 711 is configured todisplay any visualization tools or reports associated with the systemdescribed herein. Input/output device 709 is coupled to bus 705 in orderto communicate information in command selections to CPU 701. It shouldbe appreciated that data to and from external devices may becommunicated through the input/output device 709. CPU 701 can be definedto execute the functionality described herein to enable thefunctionality described with reference to FIGS. 1-6. The code embodyingthis functionality may be stored within memory 703 or mass storagedevice 707 for execution by a processor such as CPU 701 in someembodiments. The operating system on the computing device may be MSDOS™, MS-WINDOWS™, OS/2™, UNIX™, LINUX™, or other known operatingsystems. It should be appreciated that the embodiments described hereinmay also be integrated with a virtualized computing system implementedwith physical computing resources.

Detailed illustrative embodiments are disclosed herein. However,specific functional details disclosed herein are merely representativefor purposes of describing embodiments. Embodiments may, however, beembodied in many alternate forms and should not be construed as limitedto only the embodiments set forth herein.

It should be understood that although the terms first, second, etc. maybe used herein to describe various steps or calculations, these steps orcalculations should not be limited by these terms. These terms are onlyused to distinguish one step or calculation from another. For example, afirst calculation could be termed a second calculation, and, similarly,a second step could be termed a first step, without departing from thescope of this disclosure. As used herein, the term “and/or” and the “/”symbol includes any and all combinations of one or more of theassociated listed items.

As used herein, the singular forms “a”, “an” and “the” are intended toinclude the plural forms as well, unless the context clearly indicatesotherwise. It will be further understood that the terms “comprises”,“comprising”, “includes”, and/or “including”, when used herein, specifythe presence of stated features, integers, steps, operations, elements,and/or components, but do not preclude the presence or addition of oneor more other features, integers, steps, operations, elements,components, and/or groups thereof. Therefore, the terminology usedherein is for the purpose of describing particular embodiments only andis not intended to be limiting.

It should also be noted that in some alternative implementations, thefunctions/acts noted may occur out of the order noted in the figures.For example, two figures shown in succession may in fact be executedsubstantially concurrently or may sometimes be executed in the reverseorder, depending upon the functionality/acts involved.

With the above embodiments in mind, it should be understood that theembodiments might employ various computer-implemented operationsinvolving data stored in computer systems. These operations are thoserequiring physical manipulation of physical quantities. Usually, thoughnot necessarily, these quantities take the form of electrical ormagnetic signals capable of being stored, transferred, combined,compared, and otherwise manipulated. Further, the manipulationsperformed are often referred to in terms, such as producing,identifying, determining, or comparing. Any of the operations describedherein that form part of the embodiments are useful machine operations.The embodiments also relate to a device or an apparatus for performingthese operations. The apparatus can be specially constructed for therequired purpose, or the apparatus can be a general-purpose computerselectively activated or configured by a computer program stored in thecomputer. In particular, various general-purpose machines can be usedwith computer programs written in accordance with the teachings herein,or it may be more convenient to construct a more specialized apparatusto perform the required operations.

A module, an application, a layer, an agent or other method-operableentity could be implemented as hardware, firmware, or a processorexecuting software, or combinations thereof. It should be appreciatedthat, where a software-based embodiment is disclosed herein, thesoftware can be embodied in a physical machine such as a controller. Forexample, a controller could include a first module and a second module.A controller could be configured to perform various actions, e.g., of amethod, an application, a layer or an agent.

The embodiments can also be embodied as computer readable code on atangible non-transitory computer readable medium. The computer readablemedium is any data storage device that can store data, which can bethereafter read by a computer system. Examples of the computer readablemedium include hard drives, network attached storage (NAS), read-onlymemory, random-access memory, CD-ROMs, CD-Rs, CD-RWs, magnetic tapes,and other optical and non-optical data storage devices. The computerreadable medium can also be distributed over a network coupled computersystem so that the computer readable code is stored and executed in adistributed fashion. Embodiments described herein may be practiced withvarious computer system configurations including hand-held devices,tablets, microprocessor systems, microprocessor-based or programmableconsumer electronics, minicomputers, mainframe computers and the like.The embodiments can also be practiced in distributed computingenvironments where tasks are performed by remote processing devices thatare linked through a wire-based or wireless network.

Although the method operations were described in a specific order, itshould be understood that other operations may be performed in betweendescribed operations, described operations may be adjusted so that theyoccur at slightly different times or the described operations may bedistributed in a system which allows the occurrence of the processingoperations at various intervals associated with the processing.

In various embodiments, one or more portions of the methods andmechanisms described herein may form part of a cloud-computingenvironment. In such embodiments, resources may be provided over theInternet as services according to one or more various models. Suchmodels may include Infrastructure as a Service (IaaS), Platform as aService (PaaS), and Software as a Service (SaaS). In IaaS, computerinfrastructure is delivered as a service. In such a case, the computingequipment is generally owned and operated by the service provider. Inthe PaaS model, software tools and underlying equipment used bydevelopers to develop software solutions may be provided as a serviceand hosted by the service provider. SaaS typically includes a serviceprovider licensing software as a service on demand. The service providermay host the software, or may deploy the software to a customer for agiven period of time. Numerous combinations of the above models arepossible and are contemplated.

Various units, circuits, or other components may be described or claimedas “configured to” perform a task or tasks. In such contexts, the phrase“configured to” is used to connote structure by indicating that theunits/circuits/components include structure (e.g., circuitry) thatperforms the task or tasks during operation. As such, theunit/circuit/component can be said to be configured to perform the taskeven when the specified unit/circuit/component is not currentlyoperational (e.g., is not on). The units/circuits/components used withthe “configured to” language include hardware—for example, circuits,memory storing program instructions executable to implement theoperation, etc. Reciting that a unit/circuit/component is “configuredto” perform one or more tasks is expressly intended not to invoke 35U.S.C. 112, sixth paragraph, for that unit/circuit/component.Additionally, “configured to” can include generic structure (e.g.,generic circuitry) that is manipulated by software and/or firmware(e.g., an FPGA or a general-purpose processor executing software) tooperate in manner that is capable of performing the task(s) at issue.“Configured to” may also include adapting a manufacturing process (e.g.,a semiconductor fabrication facility) to fabricate devices (e.g.,integrated circuits) that are adapted to implement or perform one ormore tasks.

The foregoing description, for the purpose of explanation, has beendescribed with reference to specific embodiments. However, theillustrative discussions above are not intended to be exhaustive or tolimit the invention to the precise forms disclosed. Many modificationsand variations are possible in view of the above teachings. Theembodiments were chosen and described in order to best explain theprinciples of the embodiments and its practical applications, to therebyenable others skilled in the art to best utilize the embodiments andvarious modifications as may be suited to the particular usecontemplated. Accordingly, the present embodiments are to be consideredas illustrative and not restrictive, and the invention is not to belimited to the details given herein, but may be modified within thescope and equivalents of the appended claims.

What is claimed is:
 1. A method, comprising: encrypting shares of afirst secret, the encrypting utilizing a second secret; distributingunencrypted shares of the first secret and the encrypted shares of thefirst secret to members of a computing system; decrypting at least asubset of the encrypted shares of the first secret; and regenerating thefirst secret from at least a subset of a combination of the unencryptedshares of the first secret and the decrypted shares of the first secret.2. The method of claim 1, further comprising: regenerating the secondsecret from shares of the second secret, wherein regenerating the firstsecret and regenerating the second secret are responsive to a powerloss.
 3. The method of claim 1, further comprising: encrypting a key,using the first secret, in response to determining that all of themembers of the computing system have received the distributed shares ofthe first secret.
 4. The method of claim 1, further comprising:decrypting an encrypted data encryption key, using the first secret. 5.The method of claim 1, further comprising: distributing at least oneregenerated share of the first secret to at least one member of thecomputing system that does not have a share of the first secret.
 6. Themethod of claim 1, further comprising: deleting the second secret,responsive to determining whether all of the members of the computingsystem have received shares of the first secret.
 7. The method of claim1, further comprising: iterating the encrypting, distributing,decrypting and regenerating for a plurality of further secrets, whereineach member of the computing system receives an unencrypted share of thefirst secret and an encrypted, differing share of the first secret.
 8. Atangible, non-transitory, computer-readable media having instructionsthereupon which, when executed by a processor, cause the processor toperform a method comprising: encrypting shares of a first secret, theencrypting utilizing a second secret; distributing unencrypted shares ofthe first secret and the encrypted shares of the first secret to membersof a computing system; decrypting at least a subset of the encryptedshares of the first secret; and regenerating the first secret from atleast a subset of a combination of the unencrypted shares of the firstsecret and the decrypted shares of the first secret.
 9. Thecomputer-readable media of claim 8, wherein the method furthercomprises: regenerating the second secret from shares of the secondsecret, and wherein each member of the computing system receives anunencrypted share of the first secret and an encrypted, differing shareof the first secret.
 10. The computer-readable media of claim 8, whereinthe method further comprises: encrypting a key, using the first secret,in response to determining that all of the members of the computingsystem have received the distributed shares of the first secret.
 11. Thecomputer-readable media of claim 8, wherein the method furthercomprises: decrypting an encrypted data encryption key, using the firstsecret.
 12. The computer-readable media of claim 8, wherein the methodfurther comprises: distributing at least one regenerated share of thefirst secret to at least one member of the computing system that doesnot have a share of the first secret.
 13. The computer-readable media ofclaim 8, wherein the method further comprises: deleting the secondsecret, responsive to determining whether all of the members of thecomputing system have received shares of the first secret.
 14. Thecomputer-readable media of claim 8, wherein the distributing includessending at least one share of the first secret to off-site storage. 15.The computer-readable media of claim 8, wherein the method furthercomprises: iterating the encrypting, distributing, decrypting andregenerating for a plurality of further first secrets.
 16. A computingsystem with a shared secret, comprising: a secret generator, configuredto generate and regenerate secrets; a share splitter, configured tosplit a secret into a plurality of shares; an encryption/decryptionunit, configured to encrypt and decrypt; and one or more processors,configured to perform actions comprising: encrypting shares of a firstsecret, the encrypting utilizing a second secret; distributingunencrypted shares of the first secret and the encrypted shares of thefirst secret to members of a computing system; decrypting at least asubset of the encrypted shares of the first secret; and regenerating thefirst secret from at least a subset of a combination of the unencryptedshares of the first secret and the decrypted shares of the first secret.17. The computing system of claim 16, further comprising: a memoryhaving a header section configured to store keys and shares of secrets,and a data storage configured for storage of encrypted data, distinctfrom the header section.
 18. The computing system of claim 16, whereinthe actions further comprise: regenerating the second secret from sharesof the second secret, and wherein each member of the computing systemreceives an unencrypted share of the first secret and an encrypted,differing share of the first secret.
 19. The computing system of claim16, wherein the actions further comprise: encrypting a key, using thefirst secret, in response to determining that all of the members of thecomputing system have received the distributed shares of the firstsecret.
 20. The computing system of claim 16, wherein the actionsfurther comprise: deleting the second secret, responsive to determiningwhether all of the members of the computing system have received sharesof the first secret.